OAIC finalises investigation into Telstra mailing list error

Monday, 11 October 2010

The Office of the Australian Information Commissioner (OAIC) today released the findings of its investigation into a mailing list error by Telstra Corporation Limited (Telstra) which resulted in approximately 60,300 Telstra customers’ personal information being sent to other customers.

Australian Privacy Commissioner Timothy Pilgrim opened an investigation after Telstra notified him of the incident in October 2010.

Mr Pilgrim’s investigation focused on two specific requirements under the Privacy Act:

whether Telstra had reasonable steps in place to protect its customers’ personal information from misuse and loss and from unauthorised access, modification and disclosure.

“Our investigation has confirmed that while Telstra breached the Privacy Act when the personal information of a number of its customers was disclosed to third parties, this incident was caused by a one-off human error. It was not a result of Telstra failing to have reasonable steps in place to protect the personal information of its customers, as required by the Privacy Act.”

The investigation revealed that Telstra had a range of security measures in place to protect customer personal information involved in mail campaigns. These measures include privacy obligations in agreements with mailing houses, privacy impact assessments at the outset of mail out initiatives, and procedures to ensure staff handle personal information appropriately during mail campaigns.

“In this instance, taking into account the range of measures Telstra has in place for mail campaigns, I consider that the one-off human error that occurred does not mean that Telstra failed to comply with its obligation to take reasonable steps to protect the personal information of its customers. Therefore, I consider that Telstra has not breached this particular aspect of the Privacy Act,” the Privacy Commissioner said.

On becoming aware of the unauthorised disclosure of customer information, Telstra acted immediately to prevent further breaches, notify customers and commence a review of its data security practices.

Mr Pilgrim noted that while the OAIC had found that Telstra had taken reasonable steps to protect the personal information of its customers, if the OAIC receive an individual complaint about this matter, that complaint would be considered on its own merits.

“Incidents such as this one highlight how important it is for all organisations to take steps to protect their customers’ privacy. If such an incident does occur, it is best practice to notify the OAIC as soon as possible and take action immediately to prevent further breaches,” he said.

The Privacy Commissioner noted that the Australian Government was currently considering recommendations from the Australian Law Reform Commission to introduce mandatory data breach notification laws in Australia.

Media contact: Mr Kieran Colreavy 0407 663 968 media@oaic.gov.au

For more information about the OAIC, please see www.oaic.gov.au.

Background

The Privacy Act contains 10 National Privacy Principles (NPPs) that regulate the way that Australian businesses handle personal information about individuals.

NPP 2.1 prohibits organisations from disclosing personal information for a purpose other than the primary purpose of collection, unless one of a number of exceptions applies. These include if the individual has consented to the disclosure, or if the disclosure is required by law.

The OAIC’s investigation found that Telstra had breached NPP 2.1 by improperly disclosing its customers’ personal information. The investigation also found that Telstra did have reasonable steps in place to protect its’ customers personal information, meaning that it complied with NPP 4.1 in these circumstances.